Authorization Yii

dear masters,

Help me solve this one please. I have users with 2 level/role (admin & member). User with admin role are able to access the whole data and CRUD. but the member, can only read, update and delete the posts that they created before. the question is, how to make an authorization in loadModel function so the member can only access (read, update and delete) their own posts but the admin still able to access all data?

thanks before :))

I follow this approach:

Write a masterclass for ar in wich you make the check on afterfind:

if (module='admin' && user != administrator && record != mine)

   throw new Exception (you are not authorized);

This give you 100% safety, too bad that the list are not working now.

So add a filter in each list for filter only the records the user is authorized to, and the trick is done.

Never limit the securty only on the list filtering, the user can always write in the url the id of a record he is not supposed to edit, and if you don’t have the check in afterfind you will have a securty issue.

I see, thanks :)

but, unfortunately my instructor ask me to make this authorization in loadModel function only. So, that’s why I can’t use that :’(

The grid is loaded without calling the load model, that means that in the grid you will have record the user is not authorized to.

Also, in load model you have to remember to do this check all times, if you forget one no signs there are, until some user will notice strange changing in his data (or, worst, unouthorized payments).

yeah thanks in advance :)

my instructor just give me the answer. it just need to be filtered in the loadModel for example like this one:

if(Yii::app()->user->isMember && $model->id_member!==Yii::app()->user->ref_id)

            throw new CHttpException(403, 'Anda tidak berhak melihat halaman ini.');

Hm, if you’re doing it like that, you might consider using a named scope. It’ll be way more db-friendly ;)

okay, I’ll try it :) thanks for all of you guys !!